The use of electronic data and other information has become an integral part of our daily lives. Each day, more and more emails, texts, electronic documents, and other forms of electronic data are stored or transmitted throughout the world by businesses and individuals alike. Accordingly, there exists an increasing need to protect the confidentiality of information contained within the electronic data from unauthorized disclosure.
In some cases, this electronic data may include sensitive data, such as bank account statements, credit card numbers, trade or government secrets, intellectual property or personally identifiable or protected healthcare information (e.g., medical histories, social security information, etc.), which has intrinsic value to both legitimate and non-legitimate actors. For some types of sensitive data, the protection of its confidentiality is more than just prudent, it is a legal requirement. For example, the Health Insurance Portability and Accountability Act (HIPAA) outlines legal requirements for maintaining the confidentiality of personal health information, where legal non-compliance may result in civil or criminal penalties, reputation damage, or legal action.
Encryption is one technique for protecting the confidentiality of information from eavesdroppers or other unauthorized parties. The goal of encryption is not to hide the existence of such information, but rather, to hide its meaning. Hence, encrypted data includes data that has been obfuscated according to a selected cryptographic key and cryptographic cipher. By obfuscating the data, the confidentiality is assured and the data is rendered computationally (as opposed to information-theoretically) secure. That is, although an attacker may theoretically break a scheme by enumerating all possible keys, the confidentiality of the data is protected when it is considered infeasible for the attacker to uncover data as plaintext (e.g., non-encrypted data) from stored or transmitted ciphertext (e.g., encrypted data) in any reasonable amount of time given available computing power. This notion of confidentiality for an encryption scheme is that it prevents “message-recovery attacks.”
In the past, prior cryptography techniques have been configured to prevent unauthorized access to the data by third parties. While some prior cryptography techniques can, in fact, be very difficult to attack and bypass, such techniques have remained vulnerable to attack for several reasons. Some of these reasons may include the fact that many of these prior cryptography techniques use only (i) a single cipher when encrypting the data or (ii) a single key to encrypt all of the data in a message.
In the past, the use of a single key and/or cipher applied across the entirety of a message has aided attackers in bypassing the benefits associated with using such cryptographic techniques, especially where the key length is sufficiently short to allow the key to be (relatively) easily uncovered. More specifically, if a cryptographic algorithm features a key space that is too small, there is an increased probability of the key being discovered by an exhaustive key search, namely a “brute force attack.” Such an attack tests every possible key until it finds the right one. For example, a 56-bit key space for the Data Encryption Standard (DES) algorithm has been recently determined to be inadequate, given that customized application specific integrated circuit (ASICs) may be developed to uncover a key in approximately 26 hours.
Also, the use of a single key to encrypt data has often been ineffective in preserving confidentiality as the encrypted data becomes vulnerable to key recovery or side channel attacks against vulnerabilities in an encryption algorithm, protocol, or implementation. Additionally, cryptanalysts (i.e., people who specialize in finding weaknesses in cryptosystems) routinely discover vulnerabilities innate to cryptosystems themselves. In some situations, the vulnerability may emerge, at least in part, because of technological advances (e.g., increased data processing capabilities, quantum computing, or the like). In others, widely used encryption schemes and cryptosystems (e.g., RC4 stream cipher) may be determined to be vulnerable due to inherent design characteristics. In either case, continued use of these encryption schemes (or cryptosystems) would not be recommended as the totality of the data may be compromised if a brute-force attack is conducted.
Given these many threats to data security, improvements in cryptographic schemes to protect such data are continually needed.